1 简述

TCP wrappers is a simple tool to block incoming connection on application level. This was very useful 20 years ago, when there were no firewalls in Linux. This is not the case for today and connection filtering should be done in network level or completely in application scope if it makes sense. After recent discussions I believe it is time to go for this package, if not completely, than at least as a dependency of modern daemons in system by default.

2 详细描述

The last version of tcp_wrappers was released 20 years ago (although IPv6 support was added later). At that time it was very powerful tool to "block all traffic", but these days we can do the same thing using firewalls/iptables/nftables for all traffic on network level or use similar filtering at the application level.

One of the motivating factors for this change was the removal of TCP wrappers support from systemd and OpenSSH in 2014, based on the thread on fedora devel list [1]. Another thread was started during 2017 [2] which is trying to explain the reasons why we should do that with other constructive ideas.

Another factor which has driven the deprecation of this package is the lack of any upstream community around it. Although the threats on networking communications continually increase, the threat coverage of this package has remained the same over the last two decades, leading one to draw the inference that new threats are now being handled by different components.

3 升级影响

Updating from older versions might expose existing services "protected" by tcp_wrappers before (sshd). The removal needs to be explicitly mentioned in the migration guide/release notes so the users are able to configure different layer of security (firewalld, application configuration) if this was the only one they used.

4 替代方案

After removing the libwrap dependency from openssh, it will stop using rules defines in /etc/hosts.deny. The functionality can be "added back" if needed to any socket-activated service. For example SSHD:

  • Disable sshd.service
systemctl disable sshd
  • Copy the shipped sshd@.service to /etc:
cp {/usr/lib,/etc}/systemd/system/sshd@.service
  • Modify the ExecStart line in the above file under /etc/ from
ExecStart=-/usr/sbin/sshd -i $OPTIONS $CRYPTO_POLICY

to

ExecStart=@-/usr/sbin/tcpd /usr/sbin/sshd -i $OPTIONS $CRYPTO_POLICY
  • Reload systemctl
systemctl daemon-reload
  • Enable and start sshd.socket
systemctl enable sshd.socket

systemctl start sshd.socket
  • Verify that you can connect to new service (not working now, because it is blocked by SELinux). Blocked by the bug #1482554 [3].

A similar approach can be used for other services to drop the tcp_wrappers dependency.

参考链接:

https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers

https://serverfault.com/questions/869431/openssh-removed-support-for-tcp-wrappers-now-what-no-hosts-allow-for-ssh-acce

https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/UOAUI4TC6PQVHRJ2ONQ2N3IKHR4577VH/    废弃后如何实现原有功能

为什么tcp-wrappers被Redhat Centos Fedora废弃?的更多相关文章

  1. Fedora Redhat Centos 有什么区别和关系?

    Fedora Redhat Centos 有什么区别和关系? 经常看到有人讨论服务器的操作系统,比如 Readhat 和 Centos,还有 Ubuntu Server. 可能 Ubuntu Serv ...

  2. CentOS 访问控制列表(tcp wrappers)

    1.TCP Wrappers是一个工作在应用层的安全工具,它只能针对某些具体的应用或者服务起到一定的防护作用.比如说ssh.telnet.FTP等服务的请求,都会先受到TCP Wrappers的拦截. ...

  3. 在RedHat/CentOS下安装Docker(不升级内核)

    由于内核版本问题,最初仅Ubuntu可以较好的支持Docker.不过,由于RedHat系列OS(REHL.CentOS)是目前主流的Linux服务器操作系统,所以令RedHat系列OS支持Docker ...

  4. RHEL/CentOS/Fedora各种源(EPEL、Remi、RPMForge、RPMFusion)配置

    最新文章:Virson’s Blog CentOS默认自带CentOS-Base.repo源,但官方源中去除了很多有版权争议的软件,而且安装的软件也不是最新的稳定版.Fedora自带的源中也找不到很多 ...

  5. Install MongoDB on Red Hat Enterprise, CentOS, Fedora, or Amazon Linux

    Install MongoDB on Red Hat Enterprise, CentOS, Fedora, or Amazon Linux¶ Overview Use this tutorial t ...

  6. RHEL/CentOS/Fedora常用的 CentOS 5/6/7 yum 源(EPEL、Remi、RPMForge、RPMFusion, ius,163,sohu,阿里云)配置

    RHEL以及他的衍生发行版如CentOS.Scientific Linux为了稳定,官方的rpm repository提供的rpm包往往是很滞后的,当然了,这样做这是无可厚非的,毕竟这是服务器版本,安 ...

  7. Linux下载_Linux系统各种版本ISO镜像下载(redhat,centos,oracle,ubuntu,openSUSE)

    以下是风哥收集的Linux系统各种版本ISO镜像下载,包括redhat,centos,oracle,ubuntu等linux操作系统. Linux下载1:红帽RedHat Linux(RHEL5.RH ...

  8. RHEL/CentOS/Fedora各种源

    CentOS 默认自带 CentOS-Base.repo 源, 但官方源中去除了很多有版权争议的软件, 而且安装的软件也不是最新的稳定版. Fedora 自带的源中也找不到很多多媒体软件, 如果需要安 ...

  9. Docker运行操作系统环境(BusyBox&Alpine&Debian/Ubuntu&CentOS/Fedora)

    目前常用的Linux发行版主要包括Debian/Ubuntu系列和CentOS/Fedora系列.前者以自带软件包版本较新而出名:后者则宣称运行更稳定一些.选择哪个操作系统取决于读者的具体需求.同时, ...

随机推荐

  1. JAVA-第一期学习(上)

    前言 果然,flag这个东西不能随便立,在我立志要学习java的第4天,我终于打开了我的eclipse.. 本章学习的内容是红框,第一期学习.真好,7月份需要学习完的东西,现在连helloworld还 ...

  2. Linux系统平台调优

  3. kali Linux 入门(一)

    一.描述 1.基于Debian Linux 发行版 2013年3月13日 2.包含约600个安全工具 3.定制 安全稳定的内核 4.前身是BackTrack(2013年停止维护) 5.官方机构:Off ...

  4. HTML超链接应用场景

    页面间的连接 A页到B页,最常用,用于网络导航. 如图所示: ********************************************************************* ...

  5. mybatis基本查询

    <?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE mapper PUBLIC "-/ ...

  6. 指针使用const修饰总结

    1 double rates[5] = {1, 2, 3, 4, 5}; const double * pd = rates; 被pd指向的值不可改变,比如,不允许*pd = 20 但是pd的指向改变 ...

  7. markdown解析与着色

    markdown解析与着色 简介 最近在调整博客园博客样式,使用markdown发表的博客.这个不要太好用,有道云+markdown简直绝配,可以发在任何支持markdwon的博客网站,样式基本不会走 ...

  8. 51nod 1714:B君的游戏(博弈 sg打表)

    题目链接:https://www.51nod.com/onlineJudge/questionCode.html#!problemId=1714 nim游戏的一个变形,需要打出sg函数的表 #incl ...

  9. Echarts--Y坐标标题显示不全

    如:下图,Y坐标标题显示不全 y2可以控制不显示区域的高度,就能显示全啦 grid:{ x:40, x2:100, y2:200 }

  10. 安装windows10和fedora23双系统的一些注意事项

    在安装双系统windows10和fedora的过程中遇到了很多的问题,博主也是在慢慢的摸索中最后莫名其妙的成功的安装双系统. 当然,幸亏博主机智的记住了中间的一些细节,所以大致上的有一些注意事项希望能 ...